Mesa (9.1): integer overflow in XF86DRIGetClientDriverName() [ CVE-2013-1993 2/2]

[Ian Romanick]

Module: Mesa
Branch: 9.1
Commit: 6de60ddf9ccac6f185d8f4e88ddfc63a94bd670f
URL:    http://cgit.freedesktop.org/mesa/mesa/commit/?id=6de60ddf9ccac6f185d8f4e88ddfc63a94bd670f

Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Fri Apr 26 16:33:03 2013 -0700

integer overflow in XF86DRIGetClientDriverName() [CVE-2013-1993 2/2]

clientDriverNameLength is a CARD32 and needs to be bounds checked before
adding one to it to come up with the total size to allocate, to avoid
integer overflow leading to underallocation and writing data from the
network past the end of the allocated buffer.

NOTE: This is a candidate for stable release branches.

Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Brian Paul <brianp at vmware.com>
(cherry picked from commit 306f630e676eb901789dd09a0f30d7e7fa941ebe)

---

 src/glx/XF86dri.c |    8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/glx/XF86dri.c b/src/glx/XF86dri.c
index 8f53bd7..56e3557 100644
--- a/src/glx/XF86dri.c
+++ b/src/glx/XF86dri.c
@@ -305,9 +305,11 @@ XF86DRIGetClientDriverName(Display * dpy, int screen,
    *ddxDriverPatchVersion = rep.ddxDriverPatchVersion;
 
    if (rep.length) {
-      if (!
-          (*clientDriverName =
-           calloc(rep.clientDriverNameLength + 1, 1))) {
+      if (rep.clientDriverNameLength < INT_MAX)
+         *clientDriverName = calloc(rep.clientDriverNameLength + 1, 1);
+      else
+         *clientDriverName = NULL;
+      if (*clientDriverName == NULL) {
          _XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3));
          UnlockDisplay(dpy);
          SyncHandle();